Skip to content
Level 147

Docker

Docker integration accesses the Docker socket directly from within the level147-net container. The socket is mounted read-only.

Socket access

docker-compose.yml
volumes:
  - /var/run/docker.sock:/var/run/docker.sock:ro
group_add:
  - "988"   # docker group GID on web VPS

The GID 988 must match the docker group on the web VPS. Verify with getent group docker on the host.

Dashboard features

  • Docker Logs page (/apps/docker) — lists all containers, streams logs via SSE
  • Portainer widget fallback — falls back to Docker socket when Portainer API is unreachable

API routes

RoutePurpose
GET /api/apps/docker/containersList all containers
GET /api/apps/docker/logs?id=<id>SSE log stream for a container

Container security standards

  • Images pinned to explicit semver tags — never :latest in production
  • Pull only from gitea.level147.net (private) or official Docker Hub
  • Resource limits (CPU quota, memory) set on all containers
  • Containers run as non-root where the image supports it
  • Docker socket mounts only to trusted infra agents — never to application containers

See Security Standards for the full container security policy.